MidnightBSD

Advisories for selinc

CVE-2013-0665 MEDIUM

Schweitzer Engineering Laboratories (SEL) AcSELerator QuickSet before 5.12.0.1 uses weak permissions for its Program Files directory, which allows local users to replace executable files, and consequently gain privileges, via standard filesystem operations.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
selinc acselerator_quickset *
CVE-2013-2792 HIGH

Schweitzer Engineering Laboratories (SEL) SEL-2241, SEL-3505, and SEL-3530 RTAC master devices allow remote attackers to cause a denial of service (infinite loop) via a crafted DNP3 TCP packet.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
selinc sel-3530 r123-v0-z002001
selinc sel-2241 r113-v0-z001001-d20110721
selinc sel-2241 r123-v0-z002001-d20130117
selinc sel-3530-4 r107-v0-z001001-d20100818
selinc sel-3530 r100_-v0-z001001-d20090915
selinc sel-3505 r123-v0-z002001-d20130117
selinc sel-3530-4 r123-v0-z002001-d20130117
selinc sel-3505 r119-v0-z001001-d20120720
CVE-2013-2798 MEDIUM

Schweitzer Engineering Laboratories (SEL) SEL-2241, SEL-3505, and SEL-3530 RTAC master devices allow physically proximate attackers to cause a denial of service (infinite loop) via crafted input over a serial line.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
selinc sel-3530 r123-v0-z002001
selinc sel-2241 r113-v0-z001001-d20110721
selinc sel-2241 r123-v0-z002001-d20130117
selinc sel-3530-4 r107-v0-z001001-d20100818
selinc sel-3530 r100_-v0-z001001-d20090915
selinc sel-3505 r123-v0-z002001-d20130117
selinc sel-3530-4 r123-v0-z002001-d20130117
selinc sel-3505 r119-v0-z001001-d20120720
CVE-2017-7928 HIGH

An Improper Access Control issue was discovered in Schweitzer Engineering Laboratories (SEL) SEL-3620 and SEL-3622 Security Gateway Versions R202 and, R203, R203-V1, R203-V2 and, R204, R204-V1. The device does not properly enforce access control while configured for NAT port forwarding, which may allow for unauthorized communications to downstream devices.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-284,NVD-CWE-noinfo,

Products Affected

Vendor Product Version
selinc sel-3622_firmware r202
selinc sel-3622_firmware r203-v
selinc sel-3622_firmware r203
selinc sel-3620_firmware r204
selinc sel-3620_firmware r203-v
selinc sel-3620_firmware r203-v1
selinc sel-3622_firmware r203-v1
selinc sel-3622_firmware r204-v1
selinc sel-3620_firmware r203
selinc sel-3620_firmware r202
selinc sel-3620_firmware r204-v1
selinc sel-3622_firmware r204
CVE-2018-10600 HIGH

SEL AcSELerator Architect version 2.2.24.0 and prior allows unsanitized input to be passed to the XML parser, which may allow disclosure and retrieval of arbitrary data, arbitrary code execution (in certain situations on specific platforms), and denial of service attacks.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-611,CWE-611,

Products Affected

Vendor Product Version
selinc acselerator_architect *
CVE-2018-10604 MEDIUM

SEL Compass version 3.0.5.1 and prior allows all users full access to the SEL Compass directory, which may allow modification or overwriting of files within the Compass installation folder, resulting in escalation of privilege and/or malicious code execution.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-276,CWE-276,

Products Affected

Vendor Product Version
selinc sel_compass *
CVE-2018-10608 HIGH

SEL AcSELerator Architect version 2.2.24.0 and prior can be exploited when the AcSELerator Architect FTP client connects to a malicious FTP server, which may cause denial of service via 100% CPU utilization. Restart of the application is required.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-400,CWE-400,

Products Affected

Vendor Product Version
selinc acselerator_architect *
CVE-2023-2264

An improper input validation vulnerability in the Schweitzer Engineering Laboratories SEL-411L could allow a malicious actor to manipulate authorized users to click on a link that could allow undesired behavior. See product Instruction Manual Appendix A dated 20230830 for more details.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9
security@selinc.com 4.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L 0.6 3.4

Products Affected

Vendor Product Version
selinc sel-411l_firmware *
selinc sel-411l_firmware r129-v0
selinc sel-411l_firmware r128-v0
CVE-2023-2265

An Improper Restriction of Rendered UI Layers or Frames in the Schweitzer Engineering Laboratories SEL-411L could allow an unauthenticated attacker to perform clickjacking based attacks against an authenticated and authorized user. See product Instruction Manual Appendix A dated 20230830 for more details.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@selinc.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N 2.8 1.4
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
selinc sel-411l_firmware *
selinc sel-411l_firmware r129-v0
selinc sel-411l_firmware r128-v0
CVE-2023-2266

An Improper neutralization of input during web page generation in the Schweitzer Engineering Laboratories SEL-411L could allow an attacker to generate cross-site scripting based attacks against an authorized and authenticated user. See product Instruction Manual Appendix A dated 20230830 for more details.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@selinc.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N 2.8 1.4
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
selinc sel-411l_firmware *
selinc sel-411l_firmware r129-v0
selinc sel-411l_firmware r128-v0
CVE-2023-2267

An Improper Input Validation vulnerability in Schweitzer Engineering Laboratories SEL-411L could allow an attacker to perform reflection attacks against an authorized and authenticated user. See product Instruction Manual Appendix A dated 20230830 for more details.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@selinc.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N 2.8 1.4
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N 2.8 2.5

Products Affected

Vendor Product Version
selinc sel-411l_firmware *
selinc sel-411l_firmware r129-v0
selinc sel-411l_firmware r128-v0
CVE-2023-2310

A Channel Accessible by Non-Endpoint vulnerability in the Schweitzer Engineering Laboratories SEL Real-Time Automation Controller (RTAC) could allow a remote attacker to perform a man-in-the-middle (MiTM) that could result in denial of service. See the ACSELERATOR RTAC SEL-5033 Software instruction manual date code 20210915 for more details.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@selinc.com 6.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H 1.6 5.2

Products Affected

Vendor Product Version
selinc sel-3560e_firmware *
selinc sel-3532_firmware *
selinc sel-3350_firmware *
selinc sel-3505_firmware *
selinc sel-3505-3_firmware *
selinc sel-2241_rtac_module_firmware *
selinc sel-3530_firmware *
selinc sel-3530-4_firmware *
selinc sel-3560s_firmware *
selinc sel-3555_firmware *
CVE-2023-31148

An Improper Input Validation vulnerability in the Schweitzer Engineering Laboratories Real-Time Automation Controller (SEL RTAC) Web Interface could allow a remote authenticated attacker to execute arbitrary code. See SEL Service Bulletin dated 2022-11-15 for more details.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@selinc.com 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H 2.3 6.0

Products Affected

Vendor Product Version
selinc sel-3560e_firmware *
selinc sel-3532_firmware *
selinc sel-3350_firmware *
selinc sel-3505_firmware *
selinc sel-3505-3_firmware *
selinc sel-2241_rtac_module_firmware *
selinc sel-3530_firmware *
selinc sel-3530-4_firmware *
selinc sel-3560s_firmware *
selinc sel-3555_firmware *
CVE-2023-31149

An Improper Input Validation vulnerability in the Schweitzer Engineering Laboratories Real-Time Automation Controller (SEL RTAC) Web Interface could allow a remote authenticated attacker to execute arbitrary code. See SEL Service Bulletin dated 2022-11-15 for more details.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@selinc.com 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H 2.3 6.0

Products Affected

Vendor Product Version
selinc sel-3560e_firmware *
selinc sel-3532_firmware *
selinc sel-3350_firmware *
selinc sel-3505_firmware *
selinc sel-3505-3_firmware *
selinc sel-2241_rtac_module_firmware *
selinc sel-3530_firmware *
selinc sel-3530-4_firmware *
selinc sel-3560s_firmware *
selinc sel-3555_firmware *
CVE-2023-31150

A Storing Passwords in a Recoverable Format vulnerability in the Schweitzer Engineering Laboratories Real-Time Automation Controller (SEL RTAC) database system could allow an authenticated attacker to retrieve passwords. See SEL Service Bulletin dated 2022-11-15 for more details.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@selinc.com 8.0 HIGH CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H 1.3 6.0

Products Affected

Vendor Product Version
selinc sel-3560e_firmware *
selinc sel-3532_firmware *
selinc sel-3350_firmware *
selinc sel-3505_firmware *
selinc sel-3505-3_firmware *
selinc sel-2241_rtac_module_firmware *
selinc sel-3530_firmware *
selinc sel-3530-4_firmware *
selinc sel-3560s_firmware *
selinc sel-3555_firmware *
CVE-2023-31151

An Improper Certificate Validation vulnerability in the Schweitzer Engineering Laboratories Real-Time Automation Controller (SEL RTAC) Web Interface could allow a remote unauthenticated attacker to conduct a man-in-the-middle (MitM) attack. See SEL Service Bulletin dated 2022-11-15 for more details.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@selinc.com 4.7 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N 1.6 2.7

Products Affected

Vendor Product Version
selinc sel-3560e_firmware *
selinc sel-3532_firmware *
selinc sel-3350_firmware *
selinc sel-3505_firmware *
selinc sel-3505-3_firmware *
selinc sel-2241_rtac_module_firmware *
selinc sel-3530_firmware *
selinc sel-3530-4_firmware *
selinc sel-3560s_firmware *
selinc sel-3555_firmware *
CVE-2023-31152

An Authentication Bypass Using an Alternate Path or Channel vulnerability in the Schweitzer Engineering Laboratories Real-Time Automation Controller (SEL RTAC) Web Interface allows Authentication Bypass. See SEL Service Bulletin dated 2022-11-15 for more details.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@selinc.com 4.0 MEDIUM CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N 1.0 2.7

Products Affected

Vendor Product Version
selinc sel-3560e_firmware *
selinc sel-3532_firmware *
selinc sel-3350_firmware *
selinc sel-3505_firmware *
selinc sel-3505-3_firmware *
selinc sel-2241_rtac_module_firmware *
selinc sel-3530_firmware *
selinc sel-3530-4_firmware *
selinc sel-3560s_firmware *
selinc sel-3555_firmware *
CVE-2023-31153

An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in the Schweitzer Engineering Laboratories Real-Time Automation Controller (SEL RTAC) Web Interface could allow a remote authenticated attacker to inject and execute arbitrary script code.See SEL Service Bulletin dated 2022-11-15 for more details.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@selinc.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L 0.9 3.4

Products Affected

Vendor Product Version
selinc sel-3560e_firmware *
selinc sel-3532_firmware *
selinc sel-3350_firmware *
selinc sel-3505_firmware *
selinc sel-3505-3_firmware *
selinc sel-2241_rtac_module_firmware *
selinc sel-3530_firmware *
selinc sel-3530-4_firmware *
selinc sel-3560s_firmware *
selinc sel-3555_firmware *
CVE-2023-31154

An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in the Schweitzer Engineering Laboratories Real-Time Automation Controller (SEL RTAC) Web Interface could allow a remote authenticated attacker to inject and execute arbitrary script code. See SEL Service Bulletin dated 2022-11-15 for more details.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@selinc.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L 0.9 3.4

Products Affected

Vendor Product Version
selinc sel-3560e_firmware *
selinc sel-3532_firmware *
selinc sel-3350_firmware *
selinc sel-3505_firmware *
selinc sel-3505-3_firmware *
selinc sel-2241_rtac_module_firmware *
selinc sel-3530_firmware *
selinc sel-3530-4_firmware *
selinc sel-3560s_firmware *
selinc sel-3555_firmware *
CVE-2023-31155

An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in the Schweitzer Engineering Laboratories Real-Time Automation Controller (SEL RTAC) Web Interface could allow a remote authenticated attacker to inject and execute arbitrary script code. See SEL Service Bulletin dated 2022-11-15 for more details.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@selinc.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L 0.9 3.4

Products Affected

Vendor Product Version
selinc sel-3560e_firmware *
selinc sel-3532_firmware *
selinc sel-3350_firmware *
selinc sel-3505_firmware *
selinc sel-3505-3_firmware *
selinc sel-2241_rtac_module_firmware *
selinc sel-3530_firmware *
selinc sel-3530-4_firmware *
selinc sel-3560s_firmware *
selinc sel-3555_firmware *
CVE-2023-31156

An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in the Schweitzer Engineering Laboratories Real-Time Automation Controller (SEL RTAC) Web Interface could allow a remote authenticated attacker to inject and execute arbitrary script code. See SEL Service Bulletin dated 2022-11-15 for more details.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@selinc.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L 0.9 3.4

Products Affected

Vendor Product Version
selinc sel-3560e_firmware *
selinc sel-3532_firmware *
selinc sel-3350_firmware *
selinc sel-3505_firmware *
selinc sel-3505-3_firmware *
selinc sel-2241_rtac_module_firmware *
selinc sel-3530_firmware *
selinc sel-3530-4_firmware *
selinc sel-3560s_firmware *
selinc sel-3555_firmware *
CVE-2023-31157

An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in the Schweitzer Engineering Laboratories Real-Time Automation Controller (SEL RTAC) Web Interface could allow a remote authenticated attacker to inject and execute arbitrary script code. See SEL Service Bulletin dated 2022-11-15 for more details.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@selinc.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L 0.9 3.4

Products Affected

Vendor Product Version
selinc sel-3560e_firmware *
selinc sel-3532_firmware *
selinc sel-3350_firmware *
selinc sel-3505_firmware *
selinc sel-3505-3_firmware *
selinc sel-2241_rtac_module_firmware *
selinc sel-3530_firmware *
selinc sel-3530-4_firmware *
selinc sel-3560s_firmware *
selinc sel-3555_firmware *
CVE-2023-31158

An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in the Schweitzer Engineering Laboratories Real-Time Automation Controller (SEL RTAC) Web Interface could allow a remote authenticated attacker to inject and execute arbitrary script code. See SEL Service Bulletin dated 2022-11-15 for more details.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@selinc.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L 0.9 3.4

Products Affected

Vendor Product Version
selinc sel-3560e_firmware *
selinc sel-3532_firmware *
selinc sel-3350_firmware *
selinc sel-3505_firmware *
selinc sel-3505-3_firmware *
selinc sel-2241_rtac_module_firmware *
selinc sel-3530_firmware *
selinc sel-3530-4_firmware *
selinc sel-3560s_firmware *
selinc sel-3555_firmware *
CVE-2023-31159

An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in the Schweitzer Engineering Laboratories Real-Time Automation Controller (SEL RTAC) Web Interface could allow a remote authenticated attacker to inject and execute arbitrary script code. See SEL Service Bulletin dated 2022-11-15 for more details.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@selinc.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L 0.9 3.4

Products Affected

Vendor Product Version
selinc sel-3560e_firmware *
selinc sel-3532_firmware *
selinc sel-3350_firmware *
selinc sel-3505_firmware *
selinc sel-3505-3_firmware *
selinc sel-2241_rtac_module_firmware *
selinc sel-3530_firmware *
selinc sel-3530-4_firmware *
selinc sel-3560s_firmware *
selinc sel-3555_firmware *
CVE-2023-31160

An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in the Schweitzer Engineering Laboratories Real-Time Automation Controller (SEL RTAC) Web Interface could allow a remote authenticated attacker to inject and execute arbitrary script code. See SEL Service Bulletin dated 2022-11-15 for more details.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@selinc.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L 0.9 3.4

Products Affected

Vendor Product Version
selinc sel-3560e_firmware *
selinc sel-3532_firmware *
selinc sel-3350_firmware *
selinc sel-3505_firmware *
selinc sel-3505-3_firmware *
selinc sel-2241_rtac_module_firmware *
selinc sel-3530_firmware *
selinc sel-3530-4_firmware *
selinc sel-3560s_firmware *
selinc sel-3555_firmware *
CVE-2023-31161

An Improper Input Validation vulnerability in the Schweitzer Engineering Laboratories Real-Time Automation Controller (SEL RTAC) Web Interface could allow an authenticated remote attacker to use internal resources, allowing a variety of potential effects. See SEL Service Bulletin dated 2022-11-15 for more details.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@selinc.com 5.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L 1.7 3.7

Products Affected

Vendor Product Version
selinc sel-3560e_firmware *
selinc sel-3532_firmware *
selinc sel-3350_firmware *
selinc sel-3560s_firmware *
selinc sel-3555_firmware *
CVE-2023-31162

An Improper Input Validation vulnerability in the Schweitzer Engineering Laboratories Real-Time Automation Controller (SEL RTAC) Web Interface could allow a remote authenticated attacker to arbitrarily alter the content of a configuration file. See SEL Service Bulletin dated 2022-11-15 for more details.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@selinc.com 4.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:L 1.7 2.7

Products Affected

Vendor Product Version
selinc sel-3560e_firmware *
selinc sel-3532_firmware *
selinc sel-3350_firmware *
selinc sel-3505_firmware *
selinc sel-3505-3_firmware *
selinc sel-2241_rtac_module_firmware *
selinc sel-3530_firmware *
selinc sel-3530-4_firmware *
selinc sel-3560s_firmware *
selinc sel-3555_firmware *
CVE-2023-31163

An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in the Schweitzer Engineering Laboratories Real-Time Automation Controller (SEL RTAC) Web Interface could allow a remote authenticated attacker to inject and execute arbitrary script code. See SEL Service Bulletin dated 2022-11-15 for more details.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@selinc.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L 0.9 3.4

Products Affected

Vendor Product Version
selinc sel-3560e_firmware *
selinc sel-3532_firmware *
selinc sel-3350_firmware *
selinc sel-3505_firmware *
selinc sel-3505-3_firmware *
selinc sel-2241_rtac_module_firmware *
selinc sel-3530_firmware *
selinc sel-3530-4_firmware *
selinc sel-3560s_firmware *
selinc sel-3555_firmware *
CVE-2023-31164

An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in the Schweitzer Engineering Laboratories Real-Time Automation Controller (SEL RTAC) Web Interface could allow a remote authenticated attacker to inject and execute arbitrary script code. See SEL Service Bulletin dated 2022-11-15 for more details.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@selinc.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L 0.9 3.4

Products Affected

Vendor Product Version
selinc sel-3560e_firmware *
selinc sel-3532_firmware *
selinc sel-3350_firmware *
selinc sel-3505_firmware *
selinc sel-3505-3_firmware *
selinc sel-2241_rtac_module_firmware *
selinc sel-3530_firmware *
selinc sel-3530-4_firmware *
selinc sel-3560s_firmware *
selinc sel-3555_firmware *
CVE-2023-31165

An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in the Schweitzer Engineering Laboratories Real-Time Automation Controller (SEL RTAC) Web Interface could allow a remote authenticated attacker to inject and execute arbitrary script code. See SEL Service Bulletin dated 2022-11-15 for more details.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@selinc.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L 0.9 3.4

Products Affected

Vendor Product Version
selinc sel-3560e_firmware *
selinc sel-3532_firmware *
selinc sel-3350_firmware *
selinc sel-3505_firmware *
selinc sel-3505-3_firmware *
selinc sel-2241_rtac_module_firmware *
selinc sel-3530_firmware *
selinc sel-3530-4_firmware *
selinc sel-3560s_firmware *
selinc sel-3555_firmware *
CVE-2023-31166

An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in the Schweitzer Engineering Laboratories Real-Time Automation Controller (SEL RTAC) Web Interface could allow a remote authenticated attacker to create folders in arbitrary paths of the file system. See SEL Service Bulletin dated 2022-11-15 for more details.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@selinc.com 4.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N 2.3 1.4

Products Affected

Vendor Product Version
selinc sel-3560e_firmware *
selinc sel-3532_firmware *
selinc sel-3350_firmware *
selinc sel-3505_firmware *
selinc sel-3505-3_firmware *
selinc sel-2241_rtac_module_firmware *
selinc sel-3530_firmware *
selinc sel-3530-4_firmware *
selinc sel-3560s_firmware *
selinc sel-3555_firmware *
CVE-2023-31167

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Schweitzer Engineering Laboratories SEL-5036 acSELerator Bay Screen Builder Software on Windows allows Relative Path Traversal. SEL acSELerator Bay Screen Builder software is distributed by SEL-5033 SEL acSELerator RTAC, SEL-5030 Quickset, and SEL Compass. CVE-2023-31167 and was patched in the acSELerator Bay Screen Builder release available on 20230602. Please contact SEL for additional details. This issue affects SEL-5036 acSELerator Bay Screen Builder Software: before 1.0.49152.778.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@selinc.com 5.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N 1.3 3.6
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N 2.8 5.2

Products Affected

Vendor Product Version
selinc sel-5036_acselerator_bay_screen_builder *
CVE-2023-31168

An Inclusion of Functionality from Untrusted Control Sphere vulnerability in the Schweitzer Engineering Laboratories SEL-5030 acSELerator QuickSet Software could allow an attacker to embed instructions that could be executed by an authorized device operator. See Instruction Manual Appendix A and Appendix E dated 20230615 for more details. This issue affects SEL-5030 acSELerator QuickSet Software: through 7.1.3.0.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@selinc.com 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:N/I:H/A:N 1.1 4.0
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N 2.8 3.6

Products Affected

Vendor Product Version
selinc sel-5030_acselerator_quickset *
CVE-2023-31169

An Improper Handling of Unicode Encoding vulnerability in the Schweitzer Engineering Laboratories SEL-5030 acSELerator QuickSet Software could allow an attacker to embed instructions that could be executed by an authorized device operator. See Instruction Manual Appendix A and Appendix E dated 20230615 for more details. This issue affects SEL-5030 acSELerator QuickSet Software: through 7.1.3.0.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.7 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N 2.1 3.6
security@selinc.com 4.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N 1.2 3.6

Products Affected

Vendor Product Version
selinc sel-5030_acselerator_quickset *
CVE-2023-31170

An Inclusion of Functionality from Untrusted Control Sphere vulnerability in the Schweitzer Engineering Laboratories SEL-5030 acSELerator QuickSet Software could allow an attacker to embed instructions that could be executed by an authorized device operator. See Instruction Manual Appendix A and Appendix E dated 20230615 for more details. This issue affects SEL-5030 acSELerator QuickSet Software: through 7.1.3.0.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N 2.8 3.6
security@selinc.com 5.9 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N 1.5 4.0

Products Affected

Vendor Product Version
selinc sel-5030_acselerator_quickset *
CVE-2023-31171

An Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in the Schweitzer Engineering Laboratories SEL-5030 acSELerator QuickSet Software could allow an attacker to embed instructions that could be executed by an authorized device operator. See Instruction Manual Appendix A and Appendix E dated 20230615 for more details. This issue affects SEL-5030 acSELerator QuickSet Software: through 7.1.3.0.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@selinc.com 5.9 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N 1.5 4.0
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N 2.8 3.6

Products Affected

Vendor Product Version
selinc sel-5030_acselerator_quickset *
CVE-2023-31172

An Incomplete Filtering of Special Elements vulnerability in the Schweitzer Engineering Laboratories SEL-5030 acSELerator QuickSet Software could allow an attacker to embed instructions that could be executed by an authorized device operator. See Instruction Manual Appendix A and Appendix E dated 20230615 for more details. This issue affects SEL-5030 acSELerator QuickSet Software: through 7.1.3.0.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@selinc.com 5.9 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N 1.5 4.0
nvd@nist.gov 7.4 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N 2.8 4.0

Products Affected

Vendor Product Version
selinc sel-5030_acselerator_quickset *
CVE-2023-31173

Use of Hard-coded Credentials vulnerability in Schweitzer Engineering Laboratories SEL-5037 SEL Grid Configurator on Windows allows Authentication Bypass. See Instruction Manual Appendix A and Appendix E dated 20230615 for more details. This issue affects SEL-5037 SEL Grid Configurator: before 4.5.0.20.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.4 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 2.5 5.9
security@selinc.com 7.7 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N 2.5 5.2

Products Affected

Vendor Product Version
selinc sel-5037_sel_grid_configurator *
CVE-2023-31174

A Cross-Site Request Forgery (CSRF) vulnerability in the Schweitzer Engineering Laboratories SEL-5037 SEL Grid Configurator could allow an attacker to embed instructions that could be executed by an authorized device operator. See Instruction Manual Appendix A and Appendix E dated 20230615 for more details. This issue affects SEL-5037 SEL Grid Configurator: before 4.5.0.20.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@selinc.com 7.4 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N 2.8 4.0
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N 2.8 3.6

Products Affected

Vendor Product Version
selinc sel-5037_sel_grid_configurator *
CVE-2023-31175

An Execution with Unnecessary Privileges vulnerability in the Schweitzer Engineering Laboratories SEL-5037 SEL Grid Configurator could allow an attacker to run system commands with the highest level privilege on the system. See Instruction Manual Appendix A and Appendix E dated 20230615 for more details. This issue affects SEL-5037 SEL Grid Configurator: before 4.5.0.20.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@selinc.com 8.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 2.0 6.0
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
selinc sel-5037_sel_grid_configurator *
CVE-2023-31176

An Insufficient Entropy vulnerability in the Schweitzer Engineering Laboratories SEL-451 could allow an unauthenticated remote attacker to brute-force session tokens and bypass authentication.  See product Instruction Manual Appendix A dated 20230830 for more details.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
security@selinc.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

Products Affected

Vendor Product Version
selinc sel-451_firmware r327-v0
selinc sel-451_firmware r326-v0
selinc sel-451_firmware *
CVE-2023-31177

An Improper Neutralization of Input During Web Page Generation  ('Cross-site Scripting') in the Schweitzer Engineering Laboratories SEL-451 could allow an attacker to craft a link that could execute arbitrary code on a victim's system. See product Instruction Manual Appendix A dated 20230830 for more details.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7
security@selinc.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L 0.9 3.4

Products Affected

Vendor Product Version
selinc sel-451_firmware r327-v0
selinc sel-451_firmware r326-v0
selinc sel-451_firmware *
CVE-2023-34388

An Improper Authentication vulnerability in the Schweitzer Engineering Laboratories SEL-451 could allow a remote unauthenticated attacker to potentially perform session hijacking attack and bypass authentication. See product Instruction Manual Appendix A dated 20230830 for more details.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@selinc.com 6.5 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 2.8 3.6
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
selinc sel-451_firmware r327-v0
selinc sel-451_firmware r326-v0
selinc sel-451_firmware *
CVE-2023-34389

An allocation of resources without limits or throttling vulnerability in the Schweitzer Engineering Laboratories SEL-451 could allow a remote authenticated attacker to make the system unavailable for an indefinite amount of time. See product Instruction Manual Appendix A dated 20230830 for more details.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@selinc.com 4.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H 0.9 3.6
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
selinc sel-451_firmware r327-v0
selinc sel-451_firmware r326-v0
selinc sel-451_firmware *
CVE-2023-34390

An input validation vulnerability in the Schweitzer Engineering Laboratories SEL-451 could allow a remote authenticated attacker to create a denial of service against the system and locking out services. See product Instruction Manual Appendix A dated 20230830 for more details.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6
security@selinc.com 4.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H 0.9 3.6

Products Affected

Vendor Product Version
selinc sel-451_firmware r327-v0
selinc sel-451_firmware r326-v0
selinc sel-451_firmware *
CVE-2023-34391

Insecure Inherited Permissions vulnerability in Schweitzer Engineering Laboratories SEL-5033 AcSELerator RTAC Software on Windows allows Leveraging/Manipulating Configuration File Search Paths. See Instruction Manual Appendix A [Cybersecurity] tag dated 20230522 for more details. This issue affects SEL-5033 AcSELerator RTAC Software: before 1.35.151.21000.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N 1.8 3.6
security@selinc.com 7.4 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L 0.8 6.0

Products Affected

Vendor Product Version
selinc sel-5033_acselerator_real-time_automation_controller *
CVE-2023-34392

A Missing Authentication for Critical Function vulnerability in the Schweitzer Engineering Laboratories SEL-5037 SEL Grid Configurator could allow an attacker to run arbitrary commands on managed devices by an authorized device operator. See Instruction Manual Appendix A and Appendix E dated 20230615 for more details. This issue affects SEL-5037 SEL Grid Configurator: before 4.5.0.20.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@selinc.com 8.2 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H 1.5 6.0
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
selinc sel-5037_sel_grid_configurator *